Opt-outs 'subtly influence the individual to agree'

Businesses should provide people with an "opt out" right to object to the processing of their personal data when they make an assessment that consent is not necessary as part of a big data project, an EU privacy watchdog has said.

European Data Protection Supervisor (EDPS) Giovanni Buttarelli said, though, that "more efforts are needed" by industry to show that opt-out mechanisms are sufficiently "effective and easy to exercise" before they can be "endorsed" for practical use.

Buttarelli's comments come in a new opinion the EDPS has issued on meeting the challenges of big data (PDF). They suggest that businesses may have greater leeway in future to rely on the "legitimate interests" ground as an alternative to consent for processing personal data under EU data protection laws when engaging in big data projects.

"The right to object to processing ... can become a powerful tool in the hand of the individuals when it is implemented as an unconditional, ‘no questions-asked’ opt-out," Buttarelli said.

"This may, in some circumstances, help establish the right balance between the right of the individual to have a degree of control over his or her data and the flexibility required for businesses to develop and innovate and make best use of the vast amount of data generated online and offline," he added.

"An unconditional opt-out means that an individual is aware that his data is processed and knows he could opt-out if he chose to do so. He may or may not wholeheartedly embrace the fact that his data is being processed, however, often is not sufficiently negatively affected – or simply not ‘bothered’ – to change the default setting. Opt-outs subtly influence the individual to agree, without altogether denying him the right to disagree," he said.

"Especially in borderline cases where the balance between the legitimate interests of the controller and the rights and interests of the data subjects are difficult to strike, a well-designed and workable mechanism for opt-out (while not necessarily providing data subjects with all the elements that would satisfy a valid consent under European data protection law) could play an important role in safeguarding the rights and interests of the individuals," Buttarelli said.

The EDPS said society must decide on "the conditions under which we require controllers to obtain genuine consent and when to content ourselves merely with an assessment of the balance of interests and an opt-out".

"We must in particular, aim to distinguish data processing whose benefits are general/societal, from those that merely provide economic benefits to those processing the data," Buttarelli said. "We must also assess the potential impact on the individuals concerned, and carefully balance these two as well as all other relevant factors."

Existing data protection law principles must be "complemented by ‘new’ principles ... such as accountability and privacy by design and by default".

The "responsible and sustainable development of big data" should be based on organisations being more open about their use of personal data, consumers gaining more control over how their data is use, user-friendly data protection measures being built into new products, and services at the design stage, and greater accountability," Buttarelli said.

Buttarelli said: "Big data, if done responsibly, can deliver significant benefits and efficiencies for society and individuals in health, scientific research, the environment, and other specific areas."

"But, there are serious concerns with the actual and potential impact on the rights and freedoms of individuals of processing of huge amounts of data, including their right to privacy. The challenges and risks of big data, therefore, call for more effective data protection," he added.

The EDPS said businesses need to give "clear information" to people to explain what data of theirs is processed. This includes "data observed or inferred about them", he said.

Organisations also need to ensure data subjects are "better informed on how and for what purposes their information is used, including the logic used in algorithms to determine assumptions and predictions about them", he said.

Buttarelli said giving data subjects more control over how their data is used "will help ensure that individuals are more empowered to detect better unfair biases, to challenge mistakes" as well as "prevent the secondary use of data for purposes that do not meet their legitimate expectations".

"With a new generation of user control, individuals will, where relevant, be given more genuine and better informed choice and enjoy greater possibilities themselves to use their personal data better," Buttarelli said.

"Powerful rights of access and to data portability and effective opt-out mechanisms may serve as a precondition to allow users more control over their data, and may also help contribute to the development of new business models and more efficient and transparent use of personal data," he added.

Buttarelli said that there needs to be a "more coherent" approach to the way the EU addresses big data risks using all the "modern tools available" to it, which extend beyond the realm of data protection.

Those tools include consumer protection and competition powers related to research and development. Using these tools more coherently can help "ensure safeguards and choice in the marketplace where privacy friendly services can thrive", he said. ®